Analysis
-
max time kernel
559s -
max time network
561s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
12-11-2024 22:46
General
-
Target
autodist_proproctor_M2 (2).zip
-
Size
34.9MB
-
MD5
38cbe4bfde65070ccbd42fd6d4fd7517
-
SHA1
a6c8e7cea56ffe8eae93db6128f440cfdf7078e7
-
SHA256
8e42aaf1c038c992a57bbeb607e21df8d7d2f40248c5b35cd431cac0a1b5c77f
-
SHA512
251405e6b4885f2e72be95494609899c7fbd51371e5389c9d3bfdbca7201af24a4ba3724ba409c9837960277194115575c3538c921afde456b96cd763b8d0c15
-
SSDEEP
786432:qK3WRVP/LiO0hSfYxv73lwlOxWyr4Rp73lwlOxWyr4RMst9:qK67iOwSf+73lxxWyrCp73lxxWyrCMc
Malware Config
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 8 IoCs
-
UAC bypass 3 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 8 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\autodist_proproctor_M2 (2).zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Quasar.vmp.exe"C:\Users\Admin\AppData\Local\Temp\Quasar.vmp.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Documents\Client-built.exe"C:\Users\Admin\Documents\Client-built.exe"1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpF884.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF884.tmp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe"C:\Program Files (x86)\DockerWorkshopV3\WindowsAudioServiceV3.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Documents\Client-built.exe"C:\Users\Admin\Documents\Client-built.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\Documents\Client-built.exe"C:\Users\Admin\Documents\Client-built.exe"1⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\tmpAD49.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAD49.tmp.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.3MB
MD549fee9e45690cb2d12f32923ff5c7060
SHA1eaa52d56f0998b81bd54397d0d0d0c68d47e4838
SHA2564bcc56b8279bc707e0f6a21a9fddc8c67903383f84ba1bc0477b8327ab370719
SHA512e08c1fb1b1fb76dd6b6d768b397ca7b20bba1aa54affee551e248830ccf8bbf8957e888eb88be4725c047b52c592d13ebae1218771699739c31bcfb43f9d9390
-
Filesize
161B
MD5c16b0746faa39818049fe38709a82c62
SHA13fa322fe6ed724b1bc4fd52795428a36b7b8c131
SHA256d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad
SHA512cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c
-
Filesize
178KB
MD50646998ef06d1e8d3471824151d23dfe
SHA1ff3d549f20df9740847a36b218f3565f8613e0ab
SHA2566e654a9dbb543d5a68d3d6c68daec7fd983304927b49fdc2d05a6cbc90601618
SHA512f39a46864389f476c2b850bbe39e40c92706b9ae2f95755dd4a557c5a0bb9a3d58c33b53f6a5627f1715f6c18d1c17b0b9a47762b2584ab6c203c0d7eaada54c
-
Filesize
277KB
MD58df4d6b5dc1629fcefcdc20210a88eac
SHA116c661757ad90eb84228aa3487db11a2eac6fe64
SHA2563e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
SHA512874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
-
Filesize
45KB
MD5e3986207ac534dcc31265bbfbd2ccc79
SHA13f1139ed1a4e2332507765a60ed2bf4dc0d6c29e
SHA25689bf6331396dcf10a4d779059105f61a50b4d2fbbe7bf89cdd5dc3102296415f
SHA512ede1e4bd5763cbeee3b20b53c8678c2a73cd50ca6963235cfab5a7795fc8cc47b42a4e9e0b16b4b68d0b39590bd61fc0e63a9667ead2414e7d1bb2c5e7d95cbb
-
Filesize
1KB
MD57c656cad4513a2ff09f06412c49427fd
SHA118a7978a5c25f96b62767026f2fab30dd5222996
SHA256d8229435f417ac620cf926d6aa0c93a2b1739323503b552b3a1e8f7fc594d39a
SHA512c579259a9692dd01afb2522d8d33a8ee498e4737de44bb47daeb7edb8ad54b2b2e135a0f60ac2efd0f70c8ec4d43bb6a4b61820df4bda6eaf76fbcb14f35b222
-
Filesize
1014B
MD57a93a183ecd0710fb4cd1413dab7527e
SHA19291b9ad8eeb03ac54e096534b11ea9c860ef9ff
SHA256280bd4dc49b7b780aa9fa3e625ff3fde09cf4b2bd9438a4637837c06dbf7c2dd
SHA51239dd600908fe9bcda6bd89e4695f3b4cac1be6362603ed36b2fad0f13bbc474fdca20bf6f90262e081282e635ed771ee18dda7035af2cc5e9b92e5a6dc1caf40
-
Filesize
2.1MB
MD5a0dace1b704c623aba724810af79fb01
SHA139ccaaa4ed9840a2f8492f0bda615ae9f8e8b8dd
SHA256ef857f86022cd05c7916f9422ea9f731277b33a4c21efd2e2a475d95d6739f6d
SHA512b6ccc516c7b506d4ad8094474c9b558f79a189e0790344aac54f240a9124f13dff7d485fdbcc05d83ea7330ce673f88bd4a51c7c09668cf5a006ca09304054dc
-
Filesize
76KB
MD564e9cb25aeefeeba3bb579fb1a5559bc
SHA1e719f80fcbd952609475f3d4a42aa578b2034624
SHA25634cab594ce9c9af8e12a6923fc16468f5b87e168777db4be2f04db883c1db993
SHA512b21cd93f010b345b09b771d24b2e5eeed3b73a82fc16badafea7f0324e39477b0d7033623923313d2de5513cb778428ae10161ae7fc0d6b00e446f8d89cf0f8c
-
Filesize
410B
MD512251926fa9dcba8e4804f6a4b916738
SHA1e05acba7468274ad42d42f3074e26e46e2ae5474
SHA2564146117a7634ca0298529582217756dd06d19370d6806325ce0ab07878bb0c57
SHA512d9bb8b63ae15195e652412a5cfa81b863675a5405e8945dee8679b96ed65eac58ffe2af411981058ddc51640d7316a6535ccbaa9591d763df7f43380bc8ad104
-
Filesize
268KB
MD50db84d4cebc40434c9d350caed5fc9d9
SHA1215a64172f15e01a0c227907be8d254877519ca8
SHA2567f7c521207ede40cca08b0d5132bd20d742db81bb09d5f75ffe6e02fe638fae8
SHA51225579389947d540948a35d28b77e407784c40f48f8eae97b393d780e95e13093104bc439fc7944fac9837e66aad93fdd3e0891d356f6778aa3fa5c9182325c9b
-
Filesize
12.4MB
MD565d4e93d6f9cfb7805c84b31b9a7bde5
SHA16bad70a61721505fe61da80d1f8bf02a36f06193
SHA256d2b9632cc05eb493d1b79d1830593a06834d1ba3a25de8a79ae6fdc77cf17cb2
SHA51293b9eea55960e05b2c0eb5616ba3183aad1524a7697130a4e55385a0e69c9c80fc475786007abff2da59a28d42e91e1dab2447db3b52a95de1f405bf48bb3442
-
Filesize
12.4MB
MD50bbf67023ccb0d7d6118879bc247eb61
SHA1e3ee0dc910ef172aed0ce6c45114f018ef9775d8
SHA256cc7539e2b37920e4ff7992f28d16bae5f47e7b046bd9346d0642f93b7a7e59a8
SHA5122cfe23f243357e98d101a2a8bab4135056101471dd2547608bdf1fecd0772a7de652d4a780125709ca041597b90c6e52cc6d52154973782d07df3c423a40d171
-
Filesize
12.4MB
-
Filesize
296KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
12.4MB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.6MB
-
Filesize
12.4MB
-
Filesize
584KB
-
Filesize
144KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
10.8MB
-
Filesize
4.3MB
-
Filesize
8KB
-
Filesize
56KB